Contents of this Issue

Navigation

Page 20 of 68

continued on page 22
dissimilar in origin, structure, balance and purpose. In many ways,
they even speak different languages. However, there is also common
ground and a working relationship based upon shared tasks and
accountabilities. It is this relationship that must continue to evolve.
"When dealing with data risks in the retail environment,
there's increasingly a link back to the LP teams. The investigation
function is particularly valuable, and a unified strategy only makes
good sense. For our security functions to be most effective, our
professionals must be a collective enterprise," says White. This
requires a comprehensive approach as described here:
■ Recognizing our vulnerabilities to mitigate the risks. This
may also include consulting with specialized professionals
to establish controls, ascertain roles and responsibilities, and
determine effective and efficient protocols.
■ Increased communication and enhanced cooperation. This is
a shared responsibility, and must flow both ways. There must be
shared perspectives and open channels to build these bridges.
■ Additional training. Everyone responsible for protecting this
information must have a strong awareness of the tools and
the power of the data, along with the knowledge and skills to
manage the risks.
With the depth, magnitude, and global reach of several recent
breaches as well as the repercussions for the businesses and
their brands, there is clearly greater awareness to the point that
companies have become much more sensitive to the threat. But this
awareness must be coupled with continuing education, proactive
controls, and actionable plans.
"Every company should start with the proactive assumption that
their perimeters can and will be breached," states White. There must
be a layered defense that would include the following:
■ Appropriate tagging and classifying of data based on importance
and sensitivity.
■ Robust policies and procedures that clearly identify security
expectations.
■ Strong password policies, network controls, and access controls
to include third-party controls.
■ Maintenance protocols and keeping software up-to-date.
■ Appropriate education and awareness to keep our teams current
and informed.
■ A quick and diligent response-and-recovery plan in the event of
an intrusion.
■ Continuing and persistent evaluation and updates as necessary
and appropriate.
Every organization must evaluate their risks and exposures and
establish best practices based upon their specific business needs.
However, that approach should not focus solely on compliance.
What you really have to do is take an active, functional approach
to the business, determine the risks, and then make informed,
intelligent decisions based on the needs, vulnerabilities, and
resources available to the organization.
Perception versus Reality
Recent attacks on retailers, including Target, Neiman Marcus,
Michaels, P.F. Chang's, and others, have focused the attention of
the entire retail community on these cyber-incidents over recent
months, and all have an important connection in cybersecurity
expert and noted blogger Brian Krebs. A journalist and investigative
reporter who broke the news on these and several other prominent
breaches, Krebs is best known for his coverage of profit-seeking
cybercriminals. However, beyond his experience, it is his sharp
instincts and insightful approach that help him stand apart. Recently
he gave a presentation at the 2014 NRF loss prevention conference
and shared some thoughts that should make all of us take notice.
When it comes to protecting our critical information, Krebs
stressed the concept of perception versus reality—how secure you
actually are versus how secure that you think you are.
"Most companies think that the automated tools that
they have do a pretty good job at protecting them from these
attacks," he says. "But where they really need to focus more of
their security budgets is on the people to help them interpret all
of the stuff that's being put out, and how to respond to it. Too
many organizations spend way too much emphasis on the tools,
and not enough on the people."
Reflecting on several of the incidents that have garnered his
energy and attention, Krebs feels that companies typically have all
of the information that they need to figure out that they've had a
breach, but no one is looking at and interpreting that information.
He emphasized the importance of communication, teamwork, and
talent. He then proposed the following model to guide those efforts:
■ Identify and protect your soft spots—Determine what
information that you feel is vital to protect.
■ Know your enemy—Figure out who you're likely to be targeted
by and what information they want.
■ Invest in talent—Too many organizations rely on
automation for security rather than talent. Get smarter
BUILDING A NEW DEFENSE TEAM
"Most companies think that the automated tools that they
have do a pretty good job at protecting them from these
attacks. But where they really need to focus more of their
security budgets is on the people to help them interpret all
of the stuff that's being put out, and how to respond to it.
Too many organizations spend way too much emphasis on
the tools, and not enough on the people." – Brian Krebs
20
JULY - AUGUST 2014 | LPPORTAL.COM